b'January 30, 2014\n\nSylvia Mathews Burwell\nDirector\nOffice of Management and Budget\n725 17th Street NW\nWashington, DC 20503\n\nDear Ms. Burwell:\n\nThis letter describes the progress that the Department of Health and Human Services (HHS) has\nmade in implementing previous purchase and travel card audit recommendations and the status\nof the HHS, Office of Inspector General (HHS OIG) annual risk assessment. This letter is being\nissued to meet the requirements of the Government Charge Card Abuse Prevention Act of 2012\n(P.L. No. 112-194) (Charge Card Act): to report to the Director of the Office of Management and\nBudget (OMB) on agency progress in the implementation of recommendations on charge-card-\nrelated findings. In addition, while not required for this report, we also explain how we intend to\nconduct required annual risk assessments of agency purchase cards.\n\nFirst, the Charge Card Act requires executive-branch agencies (agencies) to be aware of charge-\ncard-related audit findings and to ensure that the findings are promptly resolved after completion\nof an audit. The Charge Card Act requires that Offices of Inspector General (OIGs) report to the\nDirector of OMB no more than 120 days after the end of each fiscal year (FY) on their agencies\xe2\x80\x99\nprogress to implement audit recommendations, beginning with the FY 2013 submission, due by\nJanuary 31, 2014. HHS OIG did not perform any evaluations or audits related to HHS\xe2\x80\x99s charge\ncard program for FY 2013. 1 To fulfill the mandate in the Charge Card Act for FY 2013,\npursuant to OMB guidance (M-13-21), we are reporting on the implementation of\nrecommendations made in our two most recent reviews related to HHS\xe2\x80\x99s purchase and travel\ncard programs (FYs 2007 and 2009). These reviews illustrate our past work regarding HHS\xe2\x80\x99s\ncharge card program and compliance with Federal laws and departmental guidance. We also\nsummarize HHS\xe2\x80\x99s actions to address our recommendations to improve operations regarding its\ncharge card activities.\n\nSecond, the Charge Card Act requires agencies to establish and maintain safeguards and internal\ncontrols for purchase cards, travel cards, integrated cards, and centrally billed accounts. 2 OIGs\n\n1\n    The charge card program includes purchase, travel, integrated, and centrally billed Government credit cards.\n2\n  The Charge Card Act also includes provisions that agencies and OIGs are responsible for beyond what is addressed\nin this report. For example, the agency head and the OIG are required to prepare a semiannual Joint Purchase and\nIntegrated Card Violation Report due on January 31, 2014, and July 31, 2014. OMB issued memorandum M-13-21,\nImplementation of the Government Charge Card Abuse and Prevention Act of 2012 (September 6, 2013), to provide\nan overview of the Charge Card Act related to required safeguards and internal controls, reports of purchase card\nviolations, and all OIG risk assessments and audits.\n\x0cPage 2 \xe2\x80\x93 Sylvia Mathews Burwell\n\n\nare required to conduct annual risk assessments of agency purchase cards (including convenience\nchecks 3), combined integrated card programs, and travel card programs to analyze the risks of\nillegal, improper, and erroneous purchases. OIGs are required to report to the heads of their\nagencies on the results of their analyses. Further, for agencies with more than $10,000,000 in\ntravel card spending, OIGs are required to conduct periodic audits or reviews of travel card\nprograms to analyze risks of illegal, improper, or erroneous purchases and payments. OIGs are\nrequired to report to the Director of OMB and to Congress the findings of those audits or\nreviews, along with recommendations to prevent improper use of travel cards. Subsequent to\nissuance of OMB M-13-21, dated September 6, 2013, as required, HHS OIG took steps to plan\nits first risk assessment under the Charge Card Act. The first risk assessment will cover FY 2013\nHHS charge card program transactions. 4 HHS OIG will use its annual risk assessments to\ndetermine the necessary scope, frequency, and number of audits or reviews of HHS\xe2\x80\x99s various\ncharge card programs.\n\nAudit Recommendations Status Report\n\nSince 2007, we have issued the following two reports related to HHS\xe2\x80\x99s purchase and travel\ncards:\n\n    \xe2\x80\xa2   Emergency Response to Hurricane Katrina: Use of the Government Purchase Card, OEI-\n        07-06-00150, May 2007.\n\n    \xe2\x80\xa2   Department of Health and Human Services Employee Travel Cards: Usage and Internal\n        Controls, OEI-07-07-00480, April 2009.\n\nWe describe each report (including the reported findings), the recommendations we made, and\nthe actions HHS has taken to address our recommendations below:\n\nEmergency Response to Hurricane Katrina: Use of the Government Purchase Card\n(OEI-07-06-00150)\n\nWe reviewed HHS\xe2\x80\x99s use of purchase cards in response to Hurricane Katrina for the period\nAugust 28 to December 14, 2005. We found that 15 percent of purchases did not comply with\nselected purchase card requirements, cardholders had concerns regarding the legality and\ncomplexity of some purchases, and purchase data contained inaccuracies. We recommended that\nHHS (1) provide additional written guidance on emergency purchasing procedures, (2) require\ntraining on emergency purchasing procedures, and (3) develop a tracking system for monitoring\nGovernment purchase card transactions during emergency situations.\n\nIn response to recommendations one and three, HHS issued guidance on using the purchase card\nfor emergency situations and added a requirement to keep a log of all Government purchase card\n\n\n3\n Convenience checks are used in the purchase card program to make purchases from merchants who do not accept\npurchase cards.\n4\n  The Charge Card Act was signed into law on October 5, 2012. As such, it was determined that HHS OIG\xe2\x80\x99s first\nrisk assessment would cover FY 2013.\n\x0cPage 3 \xe2\x80\x93 Sylvia Mathews Burwell\n\n\ntransactions during emergency situations (Purchase Card Guide, version 4.0, July 2007). In\nresponse to the second recommendation, HHS improved its existing purchase card training,\nincluding mock scenarios and roles and responsibilities designed specifically for emergency\nsituations. We determined that HHS\xe2\x80\x99s actions were sufficient and closed these\nrecommendations.\n\nDepartment of Health and Human Services Employee Travel Cards: Usage and Internal\nControls (OEI-07-07-00480)\n\nWe reviewed HHS\xe2\x80\x99s usage and internal controls over its travel card program for calendar year\n2007. Our review covered a simple random sample of 220 transactions from a population of\n346,441 unique travel card transactions. We estimated that 6 percent of travel card transactions\nconstituted misuse: 5 4 percent for personal purchases while the cardholders were not on official\ntravel, 1 percent for personal purchases while the cardholders were on official travel, and\n1 percent for local travel expenses. From the 346,441 unique travel card transactions, we\nidentified a subset population of 53,504 transactions that did not match electronic vouchers.\nFrom this population, we reviewed a stratified random sample of 213 transactions. We estimated\nthat 27 percent of these transactions constituted misuse: 21 percent for personal purchases,\n2 percent for local travel expenses, 2 percent for conference registration, and 1 percent for travel-\nrelated expenses of persons other than cardholders. 6 In addition, we found that training\nrequirements were not met and program guidance was insufficient in some areas. Specifically:\n\n       \xe2\x80\xa2   Guidance did not address whether the following types of transactions are considered\n           misuse:\n\n           (1) a purchase of a passport photo,\n\n           (2) purchases of meals on the first or last day of travel in the employee\xe2\x80\x99s office location,\n\n           (3) paying for another traveler\xe2\x80\x99s meals,\n\n           (4) purchases of gasoline for personal vehicles,\n\n           (5) cost of mailing materials to an employee\xe2\x80\x99s office, and\n\n           (6) conference registration.\n\n       \xe2\x80\xa2   Guidance did not describe specific followup actions and penalties for travel card misuse.\n\n\n\n\n5\n  We defined \xe2\x80\x9cmisuse\xe2\x80\x9d as the use of a Federal charge card for other than the official Government purpose for which\nit was intended.\n6\n    Because of rounding, the percentages do not add to 27.\n\x0cPage 4 \xe2\x80\x93 Sylvia Mathews Burwell\n\n\nFurthermore, HHS took followup action on less than one-third of the sampled transactions that\nconstituted misuse. 7 We recommended that HHS improve (1) travel card program guidance and\ntraining and (2) methods to identify misuse. In response to these recommendations, HHS took\nthe following corrective actions, which we determined were sufficient to close the\nrecommendations:\n\n    \xe2\x80\xa2   HHS updated the HHS Travel Manual in May 2008, published a pamphlet entitled\n        \xe2\x80\x9cTravel Card Do\xe2\x80\x99s and Don\xe2\x80\x99ts for Employees\xe2\x80\x9d in September 2008, and updated\n        memoranda to cardholders and cardholder supervisors in February 2009.\n\n    \xe2\x80\xa2   HHS issued Instruction 752 as part of the HHS Human Resources Manual that provided\n        specific department wide guidance regarding disciplinary penalties for first and\n        subsequent offenses related to travel card misuse and abuse.\n\n    \xe2\x80\xa2   HHS issued a memorandum entitled \xe2\x80\x9cTravel Card Program Zero Tolerance and\n        Disciplinary Policy\xe2\x80\x9d for monitoring and reporting misuse/abuse of the Government travel\n        card (June 2, 2009).\n\n    \xe2\x80\xa2   HHS required all agency/organization program coordinators to take an online course and\n        training seminar.\n\n    \xe2\x80\xa2   HHS trained appropriate personnel in the use of Visa\xe2\x80\x99s IntelliLink 8 tool that reports on\n        and analyzes travel card transactions by setting rules for tracking certain transaction types\n        and identifying transactions that may need further investigation.\n\n    \xe2\x80\xa2   HHS also implemented an internal data mining tool to identify potential misuses.\n\nAnnual Risk Assessment\n\nAlthough OIGs are not required to report on their annual risk assessments to OMB, for this year,\nwe have elected to report on actions we will take to conduct our first risk assessment under the\nCharge Card Act for FY 2013. To assess HHS\xe2\x80\x99s ability to manage internal controls for and risk\nin its charge card program, we are using the Enterprise Risk Management\xe2\x80\x93Integrated Framework\n(ERM) developed by the Committee of Sponsoring Organizations of the Treadway\nCommission. 9 The ERM consists of eight interrelated components that are derived from the way\nmanagement runs an organization. These components are internal environment, objective\n\n\n7\n We considered followup actions as occurring when cardholders received verbal counseling or disciplinary action\nbefore this review\xe2\x80\x99s fieldwork.\n8\n  Visa IntelliLink is an information management tool available to HHS. It provides a complete reporting and full-\nfeatured expense management tool. Two of the twelve HHS operating divisions use Visa IntelliLink to analyze\npurchase card expenses.\n9\n The Committee of Sponsoring Organizations of the Treadway Commission is a joint initiative of five private sector\norganizations dedicated to providing thought leadership through the development of frameworks and guidance on\nenterprise risk management, internal controls, and fraud deterrence designed to improve organizational performance\nand governance and to reduce the extent of fraud in organizations.\n\x0cPage 5 \xe2\x80\x93 Sylvia Mathews Burwell\n\n\nsetting, event identification, risk assessment, risk response, control activities, information and\ncommunication, and monitoring. Our risk-assessment tool is based on ERM concepts. We have\nused this approach in our prior audit work, most notably our work based on the American\nRecovery and Reinvestment Act of 2009. The ERM provides a common language, concepts, and\nprinciples that facilitate targeting the riskiest organizations and transactions to audit, study, and\ninvestigate.\n\nAs part of our assessment, we will identify the controls, procedures, and practices that, if present\nand functioning properly, indicate that associated risk is at an acceptable level. We will evaluate\nthe likelihood of a risk event occurring and the magnitude of the impact. We will use the results\nof the risk assessment to identify high-risk and high-impact areas warranting an audit, 10 study, or\ninvestigation.\n\nSummary\n\nOver the past 7 years, we have performed two reviews of HHS purchase and travel cards. We\nhave followed up and closed the recommendations from those reviews and have developed a tool\nfor conducting risk assessments that will meet the requirements of the Charge Card Act. By\nusing this tool, we will target our audit resources to facilitate the comprehensive measurement of\nrisk for HHS\xe2\x80\x99s Operating Divisions.\n\nIf you have any questions or concerns regarding this letter, please contact me or your staff may\ncontact Gloria Jarmon, Deputy Inspector General for Audit Services, at 202-619-3155 or through\nemail at Gloria.Jarmon@oig.hhs.gov. Please refer to number A-04-14-06173 in all\ncorrespondence.\n\n                                                   Sincerely,\n\n\n\n                                                   /Joanne Chiedi/\n                                                   Principal Deputy Inspector General\n\n\ncc:\nNorman Dong\nDeputy Controller\nOffice of Management and Budget\n\n\n\n\n10\n   HHS met the $10 million threshold in travel card spending to have periodic audits or reviews conducted of its\ntravel card program. HHS spent approximately $73 million and $59 million, respectively, in FYs 2012 and 2013 for\ntravel card purchases.\n\x0c'